Merge remote-tracking branch 'upstream/main'

.gitlab-ci.yml

@@ -7,16 +7,16 @@ stages:
   - deploy
 
 variables:
+  FF_DISABLE_UMASK_FOR_DOCKER_EXECUTOR: "true" # see https://gitlab.com/gitlab-org/gitlab-runner/-/issues/1736
   GITLABCI_VERSION:    "2.1"
   GITLABCI_IMAGE:      "gitlabci"
-  CI_PRE_CLONE_SCRIPT: "umask 0022" # required until feature flag FF_DISABLE_UMASK_FOR_DOCKER_EXECUTOR is set to true on GitLab.com, see https://gitlab.com/gitlab-org/gitlab-runner/-/issues/1736
   CONTRIBUTOR_IMAGE:   "domjudge/domjudge-contributor"
   DOMJUDGE_VERSION:
     value:             "M.m.pp"
     description:       "The DOMjudge version, Change this variable to 7.3.3 to release the 7.3.3 dockers. The file should be available on the domjudge.org webserver."
   DOMJUDGE_LATEST:
     value:             "true"
-    description:       "Whether this is the latest release"    
+    description:       "Whether this is the latest release"
 
 # Docker Login steps
 .release_template: &release_docker
@@ -129,5 +129,20 @@ check-pr-DOMjudge:
     - HUBURL="https://registry.hub.docker.com/v2/repositories/domjudge/domserver/tags"
     - apk add jq curl
     - TAG=$(curl $HUBURL|jq '.results | sort_by(.name) | .[length-2].name')
+    - TAG=${TAG//\"}
     - cd docker
-    - sh ./build.sh ${TAG//\"}
+    - sh ./build.sh "$TAG"
+    - |
+      # check that there are no world-writable files
+      # (this is mainly a regression test for FF_DISABLE_UMASK_FOR_DOCKER_EXECUTOR)
+      # ignore symbolic links, because they always have mode "rwxrwxrwx"
+      # ignore directories with restricted deletion flag (e.g. /tmp), because they are fine
+      # ignore character devices (e.g. /chroot/domjudge/dev/* in image domjudge/judgehost are fine)
+      for IMG in domserver judgehost; do
+        files=$(docker run --rm --pull=never "domjudge/$IMG:$TAG" find / -xdev -perm -o+w ! -type l ! \( -type d -a -perm -+t \) ! -type c)
+        if [ -n "$files" ]; then
+          echo "error: image docker/$IMG contains world-writable files:" >&2
+          printf "%s\n" "$files" >&2
+          exit 1
+        fi
+      done

docker-contributor/Dockerfile

@@ -1,5 +1,5 @@
 ARG ARCH=
-FROM "${ARCH}ubuntu:focal"
+FROM "${ARCH}ubuntu:jammy"
 LABEL maintainer="DOMjudge team <[email protected]>"
 
 ENV DEBIAN_FRONTEND=noninteractive \
@@ -21,9 +21,9 @@ RUN apt update \
     && apt install --no-install-recommends --no-install-suggests -y \
     dumb-init autoconf automake git acl \
     gcc g++ make zip unzip mariadb-client \
-    nginx php7.4 php7.4-cli php7.4-fpm php7.4-zip \
-    php7.4-gd php7.4-curl php7.4-mysql php7.4-json php7.4-intl \
-    php7.4-gmp php7.4-xml php7.4-mbstring php7.4-xdebug php7.4-pcov \
+    nginx php8.1 php8.1-cli php8.1-fpm php8.1-zip \
+    php8.1-gd php8.1-curl php8.1-mysql php8.1-intl \
+    php8.1-gmp php8.1-xml php8.1-mbstring php8.1-xdebug php8.1-pcov \
     bsdmainutils ntp \
     linuxdoc-tools linuxdoc-tools-text groff \
     python3-sphinx python3-sphinx-rtd-theme python3-pip fontconfig python3-yaml \
@@ -34,12 +34,9 @@ RUN apt update \
     supervisor apache2-utils lsb-release \
     libcurl4-gnutls-dev libjsoncpp-dev libmagic-dev \
     enscript lpr ca-certificates less vim \
-    php-pear php-dev software-properties-common \
+    php-pear php-dev software-properties-common python3-pygments rst2pdf gpg-agent tex-gyre \
     && rm -rf /var/lib/apt/lists/*
 
-# Needed for building the docs
-RUN pip3 install pygments && pip3 install rst2pdf
-
 # Forward nginx request and error logs to standard output/error. Also create directory for PHP-FPM socket
 RUN ln -sf /dev/stdout /var/log/nginx/access.log \
 	&& ln -sf /dev/stderr /var/log/nginx/error.log \
@@ -60,15 +57,15 @@ RUN apt update && \
 # Install all supported PHP versions
 RUN add-apt-repository ppa:ondrej/php -y && apt update
 RUN for VERSION in $PHPSUPPORTED; do \
-        if [ "${VERSION}" != "7.4" ]; then \
+        if [ "${VERSION}" != "8.1" ]; then \
             $APTINSTALL php${VERSION}; \
         fi; \
     done
 RUN PACKAGES=$(dpkg-query -f '${binary:Package}\n' -W|grep "^php.*-"); \
     for PACKAGE in $PACKAGES; do \
         PACKAGEALLVERSIONS="" && \
         for VERSION in $PHPSUPPORTED; do \
-            if [ "${VERSION}" != "7.4" ]; then \
+            if [ "${VERSION}" != "8.1" ]; then \
                 PACKAGEALLVERSIONS="$PACKAGEALLVERSIONS php${VERSION}-${PACKAGE#php*-}"; \
             fi; \
         done; \
@@ -83,11 +80,6 @@ RUN for VERSION in $PHPSUPPORTED; do \
     done
 RUN update-alternatives --set php-fpm /usr/sbin/php-fpm${DEFAULTPHPVERSION}
 
-# Add exposed volume
-VOLUME ["/domjudge"]
-
-WORKDIR /domjudge
-
 # Add PHP configuration
 RUN mkdir /php-config
 COPY ["php-config", "/php-config"]
@@ -114,5 +106,7 @@ COPY ["supervisor", "/etc/supervisor/conf.d/"]
 COPY ["sudoers-domjudge", "/etc/sudoers.d/domjudge"]
 RUN chmod 440 /etc/sudoers.d/domjudge
 
+USER domjudge
+
 # Expose HTTP port
 EXPOSE 80

docker-contributor/README.md

@@ -37,10 +37,10 @@ Next, if you are on Linux make sure you have cgroups enabled. See the [DOMjudge
 Now you can run DOMjudge itself using the following command:
 
 ```bash
-docker run -v [path-to-domjudge-checkout]:/domjudge -v /sys/fs/cgroup:/sys/fs/cgroup:ro --link dj-mariadb:mariadb -it -e MYSQL_HOST=mariadb -e MYSQL_USER=domjudge -e MYSQL_DATABASE=domjudge -e MYSQL_PASSWORD=djpw -e MYSQL_ROOT_PASSWORD=rootpw -p 12345:80 --name domjudge --privileged domjudge/domjudge-contributor
+docker run -v [path-to-domjudge-checkout]:[path-to-domjudge-checkout] -v /sys/fs/cgroup:/sys/fs/cgroup:ro --link dj-mariadb:mariadb -it -e PROJECT_DIR=[path-to-domjudge-checkout] -p 12345:80 --name domjudge --privileged domjudge/domjudge-contributor
 ```
 
-Make sure you replace `[path-to-domjudge-checkout]` with the path to your local DOMjudge checkout. On recent macOS and Windows Docker builds, you should add `:cached` at the end of the `/domjudge` volume (i.e. `-v [path-to-domjudge-checkout]:/domjudge:cached`) to speed up the webserver a lot.
+Make sure you replace `[path-to-domjudge-checkout]` with the path to your local DOMjudge checkout. On recent macOS and Windows Docker builds, you should add `:cached` at the end of the volume (i.e. `-v [path-to-domjudge-checkout]:[path-to-domjudge-checkout]:cached`) to speed up the webserver a lot.
 
 The above command will start the container, set up DOMjudge for a maintainer install, set up the database and create a chroot to be used by the judgedaemons. It will then start nginx, PHP-FPM and two judgedaemons using supervisord.
 
@@ -128,7 +128,7 @@ Xdebug has the following settings:
 
 ### Accessing the judgings
 
-Because the chroot script copies some special devices into every chroot used for judging and Docker does not support having these special devices on volumes, a bind-mount is created for `/domjudge/output/judgings`. Thus, if you want to access the contents of this directory, use `docker exec -it domjudge bash` to get access into the container and go to that directory.
+Because the chroot script copies some special devices into every chroot used for judging and Docker does not support having these special devices on volumes, a bind-mount is created for `[path-to-domjudge-checkout]/output/judgings`. Thus, if you want to access the contents of this directory, use `docker exec -it domjudge bash` to get access into the container and go to that directory.
 
 ## Building the image
 

docker-contributor/php-config/xdebug.ini

@@ -1,4 +1,3 @@
-xdebug.remote_autostart=1
-xdebug.remote_enable=1
-xdebug.remote_host=host.docker.internal
-xdebug.idekey=IDE
+xdebug.mode=develop,debug
+xdebug.client_host=host.docker.internal
+xdebug.start_with_request=yes

docker-contributor/scripts/bin/extra-judges

@@ -7,6 +7,6 @@ then
 fi
 
 for id in `seq 2 3`; do
-  supervisorctl $1 judgedaemon$id
+  sudo supervisorctl $1 judgedaemon$id
 done
 

docker-contributor/scripts/bin/symfony-log

@@ -1,7 +1,12 @@
 #!/bin/bash
-if [[ -d /domjudge/webapp/var/log ]]
+if [ -z "$PROJECT_DIR" ]
 then
-    tail -F /domjudge/webapp/var/log/dev.log
+  PROJECT_DIR=/domjudge
+fi
+
+if [[ -d "${PROJECT_DIR}/webapp/var/log" ]]
+then
+    tail -F "${PROJECT_DIR}/webapp/var/log/dev.log"
 else
-    tail -F /domjudge/webapp/var/logs/dev.log
+    tail -F "${PROJECT_DIR}/webapp/var/logs/dev.log"
 fi

docker-contributor/scripts/bin/xdebug-disable

@@ -1,3 +1,3 @@
 #!/bin/bash
-phpdismod xdebug
-supervisorctl restart php
+sudo phpdismod xdebug
+sudo supervisorctl restart php

docker-contributor/scripts/bin/xdebug-enable

@@ -1,3 +1,3 @@
 #!/bin/bash
-phpenmod xdebug
-supervisorctl restart php
+sudo phpenmod xdebug
+sudo supervisorctl restart php

docker-contributor/scripts/start.sh

@@ -10,32 +10,37 @@ function file_or_env {
 }
 
 echo "[..] Setting timezone"
-ln -snf "/usr/share/zoneinfo/${CONTAINER_TIMEZONE}" /etc/localtime
-echo "${CONTAINER_TIMEZONE}" > /etc/timezone
-dpkg-reconfigure -f noninteractive tzdata
+sudo ln -snf "/usr/share/zoneinfo/${CONTAINER_TIMEZONE}" /etc/localtime
+echo "${CONTAINER_TIMEZONE}" | sudo tee /etc/timezone
+sudo dpkg-reconfigure -f noninteractive tzdata
 echo "[ok] Container timezone set to: ${CONTAINER_TIMEZONE}"; echo
 
 echo "[..] Changing nginx and PHP configuration settings"
 # Set correct settings
-sed -ri -e "s/^user.*/user domjudge;/" /etc/nginx/nginx.conf
+sudo sed -ri -e "s/^user.*/user domjudge;/" /etc/nginx/nginx.conf
 for VERSION in $PHPSUPPORTED
 do
-  sed -ri -e "s/^upload_max_filesize.*/upload_max_filesize = 100M/" \
+  sudo sed -ri -e "s/^upload_max_filesize.*/upload_max_filesize = 100M/" \
       -e "s/^post_max_size.*/post_max_size = 100M/" \
       -e "s/^memory_limit.*/memory_limit = 2G/" \
       -e "s/^max_file_uploads.*/max_file_uploads = 200/" \
       -e "s#^;date\.timezone.*#date.timezone = ${CONTAINER_TIMEZONE}#" \
       "/etc/php/${VERSION}/fpm/php.ini"
-  sed -ri -e "s#^;date\.timezone.*#date.timezone = ${CONTAINER_TIMEZONE}#" \
+  sudo sed -ri -e "s#^;date\.timezone.*#date.timezone = ${CONTAINER_TIMEZONE}#" \
       "/etc/php/${VERSION}/cli/php.ini"
 done
 echo "[ok] Done changing nginx and PHP configuration settings"; echo
 
-cd /domjudge
+if [ -z "$PROJECT_DIR" ]
+then
+  PROJECT_DIR=/domjudge
+fi
+
+cd "$PROJECT_DIR"
 
 if [[ ! -f README.md ]] || ! grep -q DOMjudge README.md
 then
-  echo "DOMjudge sources not found. Did you add a volume with your DOMjudge checkout at /domjudge?"
+  echo "DOMjudge sources not found. Did you add a volume with your DOMjudge checkout at ${PROJECT_DIR}?"
   exit 1
 fi
 
@@ -48,7 +53,6 @@ host=${MYSQL_HOST}
 user=root
 password=${MYSQL_ROOT_PASSWORD}
 EOF
-chown domjudge: /home/domjudge/.my.cnf
 
 echo "[..] Updating database credentials file"
 echo "dummy:${MYSQL_HOST}:${MYSQL_DATABASE}:${MYSQL_USER}:${MYSQL_PASSWORD}" > etc/dbpasswords.secret
@@ -59,15 +63,15 @@ then
   echo "Skipping maintainer-mode install for DOMjudge"
 else
   echo "[..] Performing maintainer-mode install for DOMjudge"
-  sudo -H -u domjudge make maintainer-conf CONFIGURE_FLAGS="--with-baseurl=http://localhost/ --with-webserver-group=domjudge"
-  sudo -H -u domjudge make maintainer-install
+  make maintainer-conf CONFIGURE_FLAGS="--with-baseurl=http://localhost/ --with-webserver-group=domjudge"
+  make maintainer-install
   echo "[ok] DOMjudge installed in Maintainer-mode"; echo
 fi
 
 echo "[..] Setting up bind mount and correct permissions for judgings"
-mkdir -p /domjudge-judgings
-mount -o bind /domjudge-judgings /domjudge/output/judgings
-chown -R domjudge output
+sudo mkdir -p /domjudge-judgings
+sudo mount -o bind /domjudge-judgings "${PROJECT_DIR}/output/judgings"
+sudo chown -R domjudge output
 echo "[ok] Done setting up permissions"
 
 # Sometimes when running `docker-compose up` we're too fast at this step
@@ -91,13 +95,13 @@ then
   exit 1
 fi
 
-if ! bin/dj_setup_database -uroot -p"${MYSQL_ROOT_PASSWORD}" status > /dev/null 2>&1
+if ! sudo bin/dj_setup_database -uroot -p"${MYSQL_ROOT_PASSWORD}" status > /dev/null 2>&1
 then
   echo "  Database not installed; installing..."
-  bin/dj_setup_database -uroot -p"${MYSQL_ROOT_PASSWORD}" bare-install
+  sudo bin/dj_setup_database -uroot -p"${MYSQL_ROOT_PASSWORD}" bare-install
 else
   echo "  Database installed; upgrading..."
-  bin/dj_setup_database -uroot -p"${MYSQL_ROOT_PASSWORD}" upgrade
+  sudo bin/dj_setup_database -uroot -p"${MYSQL_ROOT_PASSWORD}" upgrade
 fi
 echo "[ok] Database ready"; echo
 
@@ -107,63 +111,64 @@ echo "[ok] Changed restapi URL from http://localhost/domjudge to http://localhos
 
 echo "[..] Copying webserver config"
 # Set up vhost
-cp etc/nginx-conf /etc/nginx/sites-enabled/default
+sudo cp etc/nginx-conf /etc/nginx/sites-enabled/default
 # Replace nginx php socket location
-sed -i 's/server unix:.*/server unix:\/var\/run\/php-fpm-domjudge.sock;/' /etc/nginx/sites-enabled/default
+sudo sed -i 's/server unix:.*/server unix:\/var\/run\/php-fpm-domjudge.sock;/' /etc/nginx/sites-enabled/default
 # Remove default FPM pool config and link in DOMjudge version
 for VERSION in $PHPSUPPORTED
 do
   if [[ -f /etc/php/${VERSION}/fpm/pool.d/www.conf ]]
   then
-    rm "/etc/php/${VERSION}/fpm/pool.d/www.conf"
+    sudo rm "/etc/php/${VERSION}/fpm/pool.d/www.conf"
   fi
   if [[ ! -f /etc/php/${VERSION}/fpm/pool.d/domjudge.conf ]]
   then
-    ln -s /domjudge/etc/domjudge-fpm.conf "/etc/php/${VERSION}/fpm/pool.d/domjudge.conf"
+    sudo ln -s "${PROJECT_DIR}/etc/domjudge-fpm.conf" "/etc/php/${VERSION}/fpm/pool.d/domjudge.conf"
   fi
   # Change pm.max_children
-  sed -i "s/^pm\.max_children = .*$/pm.max_children = ${FPM_MAX_CHILDREN}/" "/etc/php/${VERSION}/fpm/pool.d/domjudge.conf"
+  sudo sed -i "s/^pm\.max_children = .*$/pm.max_children = ${FPM_MAX_CHILDREN}/" "/etc/php/${VERSION}/fpm/pool.d/domjudge.conf"
 done
 
-chown domjudge: /domjudge/etc/dbpasswords.secret
-chown domjudge: /domjudge/etc/restapi.secret
-# shellcheck disable=SC2034
-HAS_INNER_NGINX=1
-cp etc/nginx-conf-inner /etc/nginx/snippets/domjudge-inner
+sudo chown domjudge: "${PROJECT_DIR}/etc/dbpasswords.secret"
+sudo chown domjudge: "${PROJECT_DIR}/etc/restapi.secret"
+sudo cp etc/nginx-conf-inner /etc/nginx/snippets/domjudge-inner
 NGINX_CONFIG_FILE=/etc/nginx/snippets/domjudge-inner
-sed -i 's/\/domjudge\/etc\/nginx-conf-inner/\/etc\/nginx\/snippets\/domjudge-inner/' /etc/nginx/sites-enabled/default
+sudo sed -i "s|${PROJECT_DIR}/etc/nginx-conf-inner|/etc/nginx/snippets/domjudge-inner|" /etc/nginx/sites-enabled/default
 # Run DOMjudge in root
-sed -i '/^# location \//,/^# \}/ s/# //' $NGINX_CONFIG_FILE
-sed -i '/^location \/domjudge/,/^\}/ s/^/#/' $NGINX_CONFIG_FILE
-sed -i 's/\/domjudge;/"";/' $NGINX_CONFIG_FILE
+sudo sed -i '/^# location \//,/^# \}/ s/# //' $NGINX_CONFIG_FILE
+sudo sed -i '/^location \/domjudge/,/^\}/ s/^/#/' $NGINX_CONFIG_FILE
+sudo sed -i 's/\/domjudge;/"";/' $NGINX_CONFIG_FILE
 # Remove access_log and error_log entries
-sed -i '/access_log/d' $NGINX_CONFIG_FILE
-sed -i '/error_log/d' $NGINX_CONFIG_FILE
+sudo sed -i '/access_log/d' $NGINX_CONFIG_FILE
+sudo sed -i '/error_log/d' $NGINX_CONFIG_FILE
 # Use debug front controller
-sed -i 's/app\.php/app_dev.php/g' $NGINX_CONFIG_FILE
-sed -i 's/app\\\.php/app\\_dev.php/g' $NGINX_CONFIG_FILE
+sudo sed -i 's/app\.php/app_dev.php/g' $NGINX_CONFIG_FILE
+sudo sed -i 's/app\\\.php/app\\_dev.php/g' $NGINX_CONFIG_FILE
 # Set up permissions (make sure the script does not stop if this fails, as this will happen on macOS / Windows)
-chown domjudge: /domjudge/webapp/var
+sudo chown domjudge: "${PROJECT_DIR}/webapp/var"
 echo "[ok] Webserver config installed"; echo
 
 if [[ ! -d /chroot/domjudge ]]
 then
   echo "[..] Setting up chroot"
-  bin/dj_make_chroot
+  sudo bin/dj_make_chroot
   echo "[ok] Done setting up chroot"; echo
 fi
 
 echo "[..] Setting up cgroups"
 if [[ -f bin/create_cgroups ]]
 then
-  bin/create_cgroups
+  sudo bin/create_cgroups
 else
-  judge/create_cgroups
+  sudo judge/create_cgroups
 fi
 echo "[ok] cgroups set up"; echo
 
 echo "[..] Adding sudoers configuration"
-cp etc/sudoers-domjudge /etc/sudoers.d/
+sudo cp etc/sudoers-domjudge /etc/sudoers.d/
 echo "[ok] Sudoers configuration added"; echo
 
-exec supervisord -n -c /etc/supervisor/supervisord.conf
+sudo sed -i "s|PROJECT_DIR|${PROJECT_DIR}|" /etc/supervisor/conf.d/judgedaemon.conf
+sudo sed -i "s|PROJECT_DIR|${PROJECT_DIR}|" /etc/supervisor/conf.d/judgedaemonextra.conf
+
+exec sudo supervisord -n -c /etc/supervisor/supervisord.conf

docker-contributor/supervisor/judgedaemon.conf

@@ -1,7 +1,7 @@
 [program:judgedaemon]
 process_name=judgedaemon%(process_num)s
 numprocs=2
-command=/domjudge/bin/judgedaemon -n %(process_num)s
+command=PROJECT_DIR/bin/judgedaemon -n %(process_num)s
 user=domjudge
 autostart=true
 autorestart=true