From 3b598cd1d04a98f029811670501771805ada029d Mon Sep 17 00:00:00 2001 From: Danny Kopping Date: Thu, 8 Aug 2024 14:11:42 +0200 Subject: [PATCH 1/2] docs: add note advising against shared CODER_CACHE_DIRECTORY dir Signed-off-by: Danny Kopping --- codersdk/deployment.go | 3 ++- docs/cli/server.md | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/codersdk/deployment.go b/codersdk/deployment.go index d3ef2f078ff1a..0d8d17cd4fac2 100644 --- a/codersdk/deployment.go +++ b/codersdk/deployment.go @@ -1978,7 +1978,8 @@ when required by your organization's security policy.`, }, { Name: "Cache Directory", - Description: "The directory to cache temporary files. If unspecified and $CACHE_DIRECTORY is set, it will be used for compatibility with systemd.", + Description: "The directory to cache temporary files. If unspecified and $CACHE_DIRECTORY is set, it will be used for compatibility with systemd. " + + "This directory is NOT safe to be configured as a shared directory across coderd/provisionerd replicas.", Flag: "cache-dir", Env: "CODER_CACHE_DIRECTORY", Default: DefaultCacheDir(), diff --git a/docs/cli/server.md b/docs/cli/server.md index 90034e14b2cc7..ae9eea9c8ac63 100644 --- a/docs/cli/server.md +++ b/docs/cli/server.md @@ -917,7 +917,7 @@ Origin addresses to respect "proxy-trusted-headers". e.g. 192.168.1.0/24. | YAML | cacheDir | | Default | ~/.cache/coder | -The directory to cache temporary files. If unspecified and $CACHE_DIRECTORY is set, it will be used for compatibility with systemd. +The directory to cache temporary files. If unspecified and $CACHE_DIRECTORY is set, it will be used for compatibility with systemd. This directory is NOT safe to be configured as a shared directory across coderd/provisionerd replicas. ### --postgres-url From e0e10cb364b209b69d57ceddfb872ccc31ff4fae Mon Sep 17 00:00:00 2001 From: Danny Kopping Date: Thu, 8 Aug 2024 14:31:41 +0200 Subject: [PATCH 2/2] making... Signed-off-by: Danny Kopping --- cli/testdata/coder_server_--help.golden | 3 ++- cli/testdata/server-config.yaml.golden | 3 ++- codersdk/deployment.go | 12 ++++++------ enterprise/cli/testdata/coder_server_--help.golden | 3 ++- 4 files changed, 12 insertions(+), 9 deletions(-) diff --git a/cli/testdata/coder_server_--help.golden b/cli/testdata/coder_server_--help.golden index 15c44f0332cfe..54e9eeffc1248 100644 --- a/cli/testdata/coder_server_--help.golden +++ b/cli/testdata/coder_server_--help.golden @@ -22,7 +22,8 @@ OPTIONS: --cache-dir string, $CODER_CACHE_DIRECTORY (default: [cache dir]) The directory to cache temporary files. If unspecified and $CACHE_DIRECTORY is set, it will be used for compatibility with - systemd. + systemd. This directory is NOT safe to be configured as a shared + directory across coderd/provisionerd replicas. --disable-owner-workspace-access bool, $CODER_DISABLE_OWNER_WORKSPACE_ACCESS Remove the permission for the 'owner' role to have workspace execution diff --git a/cli/testdata/server-config.yaml.golden b/cli/testdata/server-config.yaml.golden index 1499565a96841..b050b662c56fa 100644 --- a/cli/testdata/server-config.yaml.golden +++ b/cli/testdata/server-config.yaml.golden @@ -414,7 +414,8 @@ updateCheck: false # (default: , type: bool) enableSwagger: false # The directory to cache temporary files. If unspecified and $CACHE_DIRECTORY is -# set, it will be used for compatibility with systemd. +# set, it will be used for compatibility with systemd. This directory is NOT safe +# to be configured as a shared directory across coderd/provisionerd replicas. # (default: [cache dir], type: string) cacheDir: [cache dir] # Controls whether data will be stored in an in-memory database. diff --git a/codersdk/deployment.go b/codersdk/deployment.go index 0d8d17cd4fac2..c26866420545b 100644 --- a/codersdk/deployment.go +++ b/codersdk/deployment.go @@ -1977,14 +1977,14 @@ when required by your organization's security policy.`, Annotations: serpent.Annotations{}.Mark(annotationExternalProxies, "true"), }, { - Name: "Cache Directory", + Name: "Cache Directory", Description: "The directory to cache temporary files. If unspecified and $CACHE_DIRECTORY is set, it will be used for compatibility with systemd. " + "This directory is NOT safe to be configured as a shared directory across coderd/provisionerd replicas.", - Flag: "cache-dir", - Env: "CODER_CACHE_DIRECTORY", - Default: DefaultCacheDir(), - Value: &c.CacheDir, - YAML: "cacheDir", + Flag: "cache-dir", + Env: "CODER_CACHE_DIRECTORY", + Default: DefaultCacheDir(), + Value: &c.CacheDir, + YAML: "cacheDir", }, { Name: "In Memory Database", diff --git a/enterprise/cli/testdata/coder_server_--help.golden b/enterprise/cli/testdata/coder_server_--help.golden index 1d28755d3e2d1..0337e239d54a4 100644 --- a/enterprise/cli/testdata/coder_server_--help.golden +++ b/enterprise/cli/testdata/coder_server_--help.golden @@ -23,7 +23,8 @@ OPTIONS: --cache-dir string, $CODER_CACHE_DIRECTORY (default: [cache dir]) The directory to cache temporary files. If unspecified and $CACHE_DIRECTORY is set, it will be used for compatibility with - systemd. + systemd. This directory is NOT safe to be configured as a shared + directory across coderd/provisionerd replicas. --disable-owner-workspace-access bool, $CODER_DISABLE_OWNER_WORKSPACE_ACCESS Remove the permission for the 'owner' role to have workspace execution