Add --socket option to listen on a UNIX socket#1862
Conversation
|
The option name ( The current changes do not affect the HA ingress or remote build sites, since UNIX socket listening is mainly used with reverse proxies and seems less useful/applicable for those. If requested in the future, I did not find any existing tests that seemed related to the socket binding options, so I held off adding anything for now. Happy to add some if I can get a bit of direction as to the preferred location/approach. |
|
Definitely needs some tests for this |
|
@esphbot review |
Direction on tests: use |
Agreed. Location: |
|
|
esphbot
left a comment
There was a problem hiding this comment.
Blocking issues found.
- No test coverage for the --socket path (maintainer-requested)
- New --socket flag is undocumented, but the docs checkbox is ticked
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #1862 +/- ##
==========================================
+ Coverage 99.56% 99.58% +0.01%
==========================================
Files 234 239 +5
Lines 18982 19399 +417
==========================================
+ Hits 18899 19318 +419
+ Misses 83 81 -2
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
|
Added additional documentation and UNIX socket case coverage to the relevant Did not try to tackle messing with the socket file permissions. (Which is a divergence from the legacy dashboard.) For one, it is poorly-supported / rather cumbersome under |
|
If you want to do an |
Agreed on skipping socket perms. World-writable defeats the socket boundary; post-bind chmod has a race window. Default ACLs or same-uid proxy are the safe paths. Fits a future One nit on the added tests: |
|
|
esphbot
left a comment
There was a problem hiding this comment.
Blocking issues found.
- Operator precedence makes the TCP-path host assertion vacuous
One aiohttp-adjacent gap here. |
PR Review — Add --socket option to listen on a UNIX socketClean, correctly-scoped feature; the prior operator-precedence blocker is now fixed and nothing else blocks merge. Specific strengths:
Checklist
Automated review by Kōan (Claude) |
esphbot
left a comment
There was a problem hiding this comment.
No blocking issues found.
bdraco
left a comment
There was a problem hiding this comment.
Please update THREAT_MODEL.md to explain the default permissions are not a bug and not something we defend
What does this implement/fix?
Add a command line option (
--socket) that makes the primary web server listen on a specified UNIX socket path (instead of TCP). This restores a feature that was previously available in the legacy dashboard.Related issue or feature (if applicable):
Types of changes
bugfixnew-featureenhancementbreaking-changerefactordocsmaintenancecidependenciesFrontend coordination
Checklist
ruff,codespell, yaml/json/python checks).tests/where applicable.components.index.json/definitions/components/*.jsonhave not been hand-edited (regenerate viascript/sync_components.pyif a sync is needed).docs/ARCHITECTURE.mdand/ordocs/API.md.