Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible regex bug in Quadlet #25339

Open
coxde opened this issue Feb 16, 2025 · 6 comments
Open

Possible regex bug in Quadlet #25339

coxde opened this issue Feb 16, 2025 · 6 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. quadlet

Comments

@coxde
Copy link

coxde commented Feb 16, 2025

Issue Description

I'm running a Traefik container via Quadlet, there is a line in this traefik.container is like this:
Label=traefik.http.middlewares.redirect.redirectregex.regex=^https://(.*)/.well-known/(webfinger|nodeinfo|host-meta)(\?.*)?$

However, the .service file generated does not contain this line, after some tweaking, found out it's related to \?, it's perfectly fine if without it. I'm guessing it might be about the regex processing part of Quadlet?

Steps to reproduce the issue

  1. Create traefik.container in ~/.config/containers/systemd/
  2. Contain a line Label=traefik.http.middlewares.redirect.redirectregex.regex=^https://(.*)/.well-known/(webfinger|nodeinfo|host-meta)(\?.*)?$
  3. Run systemctl --user daemon-reload
  4. Run systemctl --user cat traefik.service and that line is not included in the .service file

Describe the results you received

I've messed around with the regex, found out it's related to \? in the line, it can be included fine if without it. I'm guessing it might be about the regex processing part of Quadlet? I also tried wrap the line with "" but didn't work.

Describe the results you expected

Label=traefik.http.middlewares.redirect.redirectregex.regex=^https://(.*)/.well-known/(webfinger|nodeinfo|host-meta)(\?.*)?$ should be included.

podman info output

host:
  arch: amd64
  buildahVersion: 1.38.0
  cgroupControllers:
  - cpu
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.12-3.fc41.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.12, commit: '
  cpuUtilization:
    idlePercent: 97.79
    systemPercent: 0.84
    userPercent: 1.36
  cpus: 8
  databaseBackend: sqlite
  distribution:
    distribution: fedora
    variant: coreos
    version: "41"
  eventLogger: journald
  freeLocks: 2039
  hostname: REDACTED
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
  kernel: 6.12.9-200.fc41.x86_64
  linkmode: dynamic
  logDriver: journald
  memFree: 683764528
  memTotal: 8994261552
  networkBackend: netavark
  networkBackendInfo:
    backend: netavark
    dns:
      package: aardvark-dns-1.13.1-1.fc41.x86_64
      path: /usr/libexec/podman/aardvark-dns
      version: aardvark-dns 1.13.1
    package: netavark-1.13.1-1.fc41.x86_64
    path: /usr/libexec/podman/netavark
    version: netavark 1.13.1
  ociRuntime:
    name: crun
    package: crun-1.19.1-1.fc41.x86_64
    path: /usr/bin/crun
    version: |-
      crun version 1.19.1
      commit: 3e32a70c93f5aa5fea69b50256cca7fd4aa23c80
      rundir: /run/user/1000/crun
      spec: 1.0.0
      +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL
  os: linux
  pasta:
    executable: /usr/bin/pasta
    package: passt-0^20241211.g09478d5-1.fc41.x86_64
    version: |
      pasta 0^20241211.g09478d5-1.fc41.x86_64
      Copyright Red Hat
      GNU General Public License, version 2 or later
        <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
  remoteSocket:
    exists: true
    path: /run/user/1000/podman/podman.sock
  rootlessNetworkCmd: pasta
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /usr/share/containers/seccomp.json
    selinuxEnabled: true
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.3.1-1.fc41.x86_64
    version: |-
      slirp4netns version 1.3.1
      commit: e5e368c4f5db6ae75c2fce786e31eef9da6bf236
      libslirp: 4.8.0
      SLIRP_CONFIG_VERSION_MAX: 5
      libseccomp: 2.5.5
  swapFree: 1995698176
  swapTotal: 1997008896
  uptime: 58h 54m 14.00s (Approximately 2.42 days)
  variant: ""
plugins:
  authorization: null
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.fedoraproject.org
  - registry.access.redhat.com
  - docker.io
store:
  configFile: /var/home/REDACTED/.config/containers/storage.conf
  containerStore:
    number: 4
    paused: 0
    running: 4
    stopped: 0
  graphDriverName: overlay
  graphOptions: {}
  graphRoot: /var/home/REDACTED/.local/share/containers/storage
  graphRootAllocated: 40356524032
  graphRootUsed: 10039848960
  graphStatus:
    Backing Filesystem: xfs
    Native Overlay Diff: "true"
    Supports d_type: "true"
    Supports shifting: "false"
    Supports volatile: "true"
    Using metacopy: "false"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 6
  runRoot: /run/user/1000/containers
  transientStore: false
  volumePath: /var/home/REDACTED/.local/share/containers/storage/volumes
version:
  APIVersion: 5.3.1
  Built: 1732147200
  BuiltTime: Thu Nov 21 00:00:00 2024
  GitCommit: ""
  GoVersion: go1.23.3
  Os: linux
  OsArch: linux/amd64
  Version: 5.3.1

Podman in a container

No

Privileged Or Rootless

Rootless

Upstream Latest Release

No

Additional environment details

No response

Additional information

No response
@coxde coxde added the kind/bug Categorizes issue or PR as related to a bug. label Feb 16, 2025
@Luap99 Luap99 added the quadlet label Feb 17, 2025
@ygalblum
Copy link
Contributor

Thanks for reporting this. I was able to reproduce this issue and the fact that if I remove the /? the label is passed. I'll look into it

@ygalblum
Copy link
Contributor

I found the following:

  1. The issue is more with the / character than the specific combination /?
  2. The problem is that Quadlet sees / as the start of an escape sequence but /? is not a valid one. As a result, it drops the string. The error is created here.
  3. As can be seen here, the error can be avoided by setting SplitUnescapeRelax.
  4. A fix would go here.
  5. I've tested it and the tests are not failing. However, I need to make sure it does not cause any regression.

In the meanwhile the solution is to escape the /. So instead of:

Label=traefik.http.middlewares.redirect.redirectregex.regex=^https://(.*)/.well-known/(webfinger|nodeinfo|host-meta)(\?.*)?$

Set:

Label=traefik.http.middlewares.redirect.redirectregex.regex=^https://(.*)/.well-known/(webfinger|nodeinfo|host-meta)(\\?.*)?$

Let me know if this solves your issue.

@ygalblum
Copy link
Contributor

@giuseppe @Luap99 @alexlarsson WDYT?

@Luap99
Copy link
Member

Luap99 commented Feb 19, 2025

How does a regular systemd unit parse that string? My assumption is the parsing should behave the same between quadlet and systemd.

@ygalblum
Copy link
Contributor

You're right.

I've tried the following service unit file that defines a variable and echos its value. I then tested a value with /? and with //?

Without escaping:

[Unit]
Description=Echo Environment Variable
After=network.target

[Service]
Type=oneshot
ExecStart=/bin/bash -c 'echo "MY_VARIABLE=$MY_VARIABLE"'
Environment="MY_VARIABLE=Hello, Systemd\?"
StandardOutput=journal
StandardError=journal

[Install]
WantedBy=multi-user.target

I got the following error in the journal:

Feb 19 15:37:28 lima-default systemd[988]: /home/yblum.linux/.config/systemd/user/echo-env.service:8: Invalid syntax, ignoring: "MY_VARIABLE=Hello, Systemd\?"
Feb 19 15:37:28 lima-default systemd[988]: Starting echo-env.service - Echo Environment Variable...
Feb 19 15:37:28 lima-default bash[138617]: MY_VARIABLE=
Feb 19 15:37:28 lima-default systemd[988]: Finished echo-env.service - Echo Environment Variable.

But with escaping:

[Unit]
Description=Echo Environment Variable
After=network.target

[Service]
Type=oneshot
ExecStart=/bin/bash -c 'echo "MY_VARIABLE=$MY_VARIABLE"'
Environment="MY_VARIABLE=Hello, Systemd\\?"
StandardOutput=journal
StandardError=journal

[Install]
WantedBy=multi-user.target

I got:

Feb 19 15:39:09 lima-default systemd[988]: Starting echo-env.service - Echo Environment Variable...
Feb 19 15:39:09 lima-default bash[138788]: MY_VARIABLE=Hello, Systemd\?
Feb 19 15:39:09 lima-default systemd[988]: Finished echo-env.service - Echo Environment Variable.

So, to follow systemd's behavior, the code should not change and escaping in the Quadlet file is required.

Having said that, currently, the behavior is a silent disregard of the error. Should Quadlet:

  1. Stay with the current behavior
  2. Fail the unit's translation
  3. Succeed with a warning (not sure the current code allows it)

@coxde
Copy link
Author

coxde commented Feb 20, 2025

@ygalblum Hi thanks for that! I've tested it and it did work. So like the discussion, IMO it might be better to show a warning when Quadlet ignores the syntax, which is Systemd's behavior, and make debugging much easier.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. quadlet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ygalblum @Luap99 @coxde