diff --git a/Dockerfile b/Dockerfile index 2311e7d3f048975ff9215f7d8b3ec4811fc0f385..0183d7eee1bc23bbe17c1e02747931c01eea903c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -54,7 +54,6 @@ EXPOSE 8080 HEALTHCHECK --interval=1m --timeout=3s CMD curl -f 'http://localhost:8080/goemaxima?health=1' -# rm /dev/tty because we do not want it to be opened by maxima for security reasons, -# and clear tmp because when kubernetes restarts a pod, it keeps the /tmp content even if it's tmpfs, +# clear tmp because when kubernetes restarts a pod, it keeps the /tmp content even if it's tmpfs, # which means that on a restart caused by an overfull tmpfs, it will keep restarting in a loop -CMD rm /dev/tty && cd /tmp && rm --one-file-system -rf * && exec tini ${BIN}/goweb ${BIN}/maxima-optimised +CMD cd /tmp && rm --one-file-system -rf * && exec tini ${BIN}/goweb ${BIN}/maxima-optimised diff --git a/assets/maxima-fork.lisp b/assets/maxima-fork.lisp index 2d1b365686147936cc4bb6458fe6088025da0230..a70e320c42795454e15984480835ad79e70d2dea 100644 --- a/assets/maxima-fork.lisp +++ b/assets/maxima-fork.lisp @@ -23,6 +23,10 @@ #+sb-thread (sb-thread::with-system-mutex (sb-thread::*make-thread-lock*) (sb-impl::finalizer-thread-stop)) (finish-output) + ;;; in order to prevent TIOCSTI related shenanigans, close the tty + ;;; (the native C function calls closefrom(3) so the tty fd will be closed as well) + (close *terminal-io*) + (setf *terminal-io* (make-two-way-stream sb-sys:*stdin* sb-sys:*stdout*)) (let ((tmp-dir (fork-new-process))) #+sb-thread (sb-impl::finalizer-thread-start) (when (not tmp-dir)