Added config switch for disabling exec hooks on Linux (#2626)

* Switch added * Replaced raw env name with const * disabled by default * Fixed integration test
metalbear-co · Aug 1, 2024 · f282c55 · f282c55
1 parent d5e1a19
commit f282c55
Show file tree

Hide file tree

Showing 8 changed files with 49 additions and 5 deletions.
diff --git a/changelog.d/+linux-exec-hooks.changed.md b/changelog.d/+linux-exec-hooks.changed.md
@@ -0,0 +1 @@
+Disabled exec hooks on Linux by default. Added `experimental.enable_exec_hooks_linux` switch to the mirrord config.
diff --git a/mirrord-schema.json b/mirrord-schema.json
@@ -683,6 +683,14 @@
       "description": "mirrord Experimental features. This shouldn't be used unless someone from MetalBear/mirrord tells you to.",
       "type": "object",
       "properties": {
+        "enable_exec_hooks_linux": {
+          "title": "_experimental_ enable_exec_hooks_linux {#experimental-enable_exec_hooks_linux}",
+          "description": "Enables exec hooks on Linux. Enable Linux hooks can fix issues when the application shares sockets with child commands (e.g Python web servers with reload), but the feature is not stable and may cause other issues.",
+          "type": [
+            "boolean",
+            "null"
+          ]
+        },
         "readlink": {
           "title": "_experimental_ readlink {#experimental-readlink}",
           "description": "Enables the `readlink` hook.",

diff --git a/mirrord/config/configuration.md b/mirrord/config/configuration.md
@@ -387,6 +387,12 @@ IP:PORT to connect to instead of using k8s api, for testing purposes.
 mirrord Experimental features.
 This shouldn't be used unless someone from MetalBear/mirrord tells you to.
 
+## _experimental_ enable_exec_hooks_linux {#experimental-enable_exec_hooks_linux}
+
+Enables exec hooks on Linux. Enable Linux hooks can fix issues when the application
+shares sockets with child commands (e.g Python web servers with reload),
+but the feature is not stable and may cause other issues.
+
 ## _experimental_ readlink {#experimental-readlink}
 
 Enables the `readlink` hook.
@@ -395,7 +401,7 @@ Enables the `readlink` hook.
 
 <https://github.com/metalbear-co/mirrord/issues/2421#issuecomment-2093200904>
 
-# _experimental_ trust_any_certificate {#experimental-trust_any_certificate}
+## _experimental_ trust_any_certificate {#experimental-trust_any_certificate}
 
 Enables trusting any certificate on macOS, useful for <https://github.com/golang/go/issues/51991#issuecomment-2059588252>
 

diff --git a/mirrord/config/src/experimental.rs b/mirrord/config/src/experimental.rs
@@ -22,17 +22,26 @@ pub struct ExperimentalConfig {
     #[config(default = false)]
     pub readlink: bool,
 
-    /// # _experimental_ trust_any_certificate {#experimental-trust_any_certificate}
+    /// ## _experimental_ trust_any_certificate {#experimental-trust_any_certificate}
     ///
     /// Enables trusting any certificate on macOS, useful for <https://github.com/golang/go/issues/51991#issuecomment-2059588252>
     #[config(default = false)]
     pub trust_any_certificate: bool,
+
+    /// ## _experimental_ enable_exec_hooks_linux {#experimental-enable_exec_hooks_linux}
+    ///
+    /// Enables exec hooks on Linux. Enable Linux hooks can fix issues when the application
+    /// shares sockets with child commands (e.g Python web servers with reload),
+    /// but the feature is not stable and may cause other issues.
+    #[config(default = false)]
+    pub enable_exec_hooks_linux: bool,
 }
 
 impl CollectAnalytics for &ExperimentalConfig {
     fn collect_analytics(&self, analytics: &mut mirrord_analytics::Analytics) {
         analytics.add("tcp_ping4_mock", self.tcp_ping4_mock);
         analytics.add("readlink", self.readlink);
         analytics.add("trust_any_certificate", self.trust_any_certificate);
+        analytics.add("enable_exec_hooks_linux", self.enable_exec_hooks_linux);
     }
 }
diff --git a/mirrord/layer/src/exec_hooks/hooks.rs b/mirrord/layer/src/exec_hooks/hooks.rs
@@ -68,7 +68,7 @@ unsafe extern "C" fn execv_detour(path: *const c_char, argv: *const *const c_cha
 
     // `encoded` is emtpy if the encoding failed, so we don't set the env var.
     if !encoded.is_empty() {
-        std::env::set_var("MIRRORD_SHARED_SOCKETS", encoded);
+        std::env::set_var(SHARED_SOCKETS_ENV_VAR, encoded);
     }
 
     FN_EXECVE(path, argv, environ())

diff --git a/mirrord/layer/src/lib.rs b/mirrord/layer/src/lib.rs
@@ -533,7 +533,9 @@ fn enable_hooks(state: &LayerSetup) {
 
     unsafe { socket::hooks::enable_socket_hooks(&mut hook_manager, enabled_remote_dns) };
 
-    unsafe { exec_hooks::hooks::enable_exec_hooks(&mut hook_manager) };
+    if cfg!(target_os = "macos") || state.experimental().enable_exec_hooks_linux {
+        unsafe { exec_hooks::hooks::enable_exec_hooks(&mut hook_manager) };
+    }
 
     #[cfg(target_os = "macos")]
     {

diff --git a/mirrord/layer/tests/configs/port_mapping_shared_sockets.json b/mirrord/layer/tests/configs/port_mapping_shared_sockets.json
@@ -0,0 +1,13 @@
+{
+    "feature": {
+        "network": {
+            "incoming": {
+                "mode": "mirror",
+                "port_mapping": [[9999, 1234]]
+            }
+        }
+    },
+    "experimental": {
+        "enable_exec_hooks_linux": true
+    }
+}
diff --git a/mirrord/layer/tests/issue864.rs b/mirrord/layer/tests/issue864.rs
@@ -37,7 +37,12 @@ async fn test_issue864(
                 ("MIRRORD_UDP_OUTGOING", "false"),
                 ("OBJC_DISABLE_INITIALIZE_FORK_SAFETY", "YES"),
             ],
-            Some(config_dir.join("port_mapping.json").to_str().unwrap()),
+            Some(
+                config_dir
+                    .join("port_mapping_shared_sockets.json")
+                    .to_str()
+                    .unwrap(),
+            ),
         )
         .await;
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Disabled exec hooks on Linux by default. Added `experimental.enable_exec_hooks_linux` switch to the mirrord config.