[DRAFT] Consider symlinks when watching certificate file paths #50074
Conversation
Also watch resolved targets of symlinks. There are still some rough edges around directory symlinks, since non-polling watchers tend not to notify us when they change. I think there might be something we can do, but I have yet to investigate. This may or may not work for the k8s case, depending on what events are produced when the `..data` symlink is updated (and whether polling is enabled).
ghost
added
the
Specifically, move the file watcher up one level so that we can also see changes to the parent directory of a cert, even if it's a symlink. Note that this approach still won't handle changes to directories further up the hierarchy. It also does nothing for files directly in the root directory which, presumably, can't be modified anyway. The tests are failing because they're testing for things that are no longer intended to be true.
|
Why not do this in the runtime? |
My plan was to port (some of) this code to runtime for 9.0. I understood Eric to say it wasn't on the table for 8.0. |
|
This feels like way too much specialized code in kestrel for what is supposed to be file watching. |
|
Cc @jozkee |
I generally agree, but deciding how much symlink resolution to do when watching files feels somewhat app-specific, so there would need to be knobs. (File symlinks are pretty straightforward, but walking up the directory hierarchy to find directory symlinks and junctions and then monitoring all of the paths indirectly referred to - probably with a watcher at the drive route - seems like more of an investment.) I 100% agree that |
|
I feel like this should've been fixed by dotnet/runtime#55664. Do I understand correctly from #32351 (comment) that polling doesn't handle symlinks correctly? If so, that's a bug in our runtime libraries. |
|
I haven't confirmed @aelij's result - I'm still having some trouble with the deploy script - but it makes sense to me. I wouldn't expect the poller's symlink code to see the |
If we watch recursively, i.e: we are watching ..data/tls.key, then that file symlink can be resolved and the updated LastWriteTime would trigger the change event. I don't remember if we watch recursively. |
I wouldn't have guessed the filter "tls.key" would match "..data/tls.key", regardless of whether the watcher is aware of the change. |
|
|
|
But it's effectively a coincidence that the symlink key.tls points to another file with the same name? It could just as easily be key.date.tls. We're not presently using globbing, since that seemed like the most straightforward way to be notified of changes to particular files (esp since the change notification does not, AFAIK, indicate which file was changed). |
|
@amcasey can you please try using Polling with a Perhaps this PR is not needed if that works. Here's the list of supported patterns supported by the underlying Matcher: |
|
@jozkee My concern with globbing is that two files can be related but have different names or be unrelated and have the same name. Am I missing something? |
|
What does related mean in this context? I somehow thought you wanted to watch the whole |
amcasey
added
area-networking
|
This solution was partial, at best - it only looked up one level of the directory hierarchy. |
4 participants
Also watch resolved targets of symlinks.
There are still some rough edges around directory symlinks, since non-polling watchers tend not to notify us when they change. I think there might be something we can do, but I have yet to investigate.
This may or may not work for the k8s case, depending on what events are produced when the
..datasymlink is updated (and whether polling is enabled).