rosslh/coolify
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(ssh): verify mux readiness before reusing socket

Browse source 
Use ssh -O check in the first-use mux lock flow so commands only reuse a multiplexed socket after the control master is actually ready.
This commit is contained in:
Andras Bacsai 2026-05-22 18:22:22 +02:00
parent 5c67766f41
commit a13fb3cf00
2 changed files with 27 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

33
app/Helpers/SshMultiplexingHelper.php
View file

@ -28,15 +28,20 @@ public static function ensureMultiplexedConnection(Server $server): bool
public static function removeMuxFile(Server $server): void
{
$closeCommand = 'ssh -O exit -o ControlPath='.self::muxSocket($server).' ';
if (data_get($server, 'settings.is_cloudflare_tunnel')) {
$closeCommand .= '-o ProxyCommand="cloudflared access ssh --hostname %h" ';
}
$closeCommand .= self::escapedUserAtHost($server);
$closeCommand = self::muxControlCommand($server, 'exit');
Process::run($closeCommand);
}
private static function muxControlCommand(Server $server, string $operation): string
{
$command = "ssh -O {$operation} -o ControlPath=".self::muxSocket($server).' ';
if (data_get($server, 'settings.is_cloudflare_tunnel')) {
$command .= '-o ProxyCommand="cloudflared access ssh --hostname %h" ';
}
return $command.self::escapedUserAtHost($server);
}
public static function generateScpCommand(Server $server, string $source, string $dest): string
{
$sshConfig = self::serverSshConfiguration($server);
@ -128,24 +133,31 @@ private static function withFirstUseMuxLock(Server $server, string $command): st
$lockDirectory = self::muxLockDirectory($server);
$lockTimeout = (int) config('constants.ssh.mux_lock_timeout');
$checkCommand = self::muxControlCommand($server, 'check');
$script = <<<'SH'
cmd=$1
socket=$2
lock=$3
timeout=$4
check=$5
run_command() {
sh -c "$cmd"
}
if [ -S "$socket" ]; then
mux_ready() {
[ -S "$socket" ] && sh -c "$check" >/dev/null 2>&1
}
if mux_ready; then
run_command
exit $?
fi
waited=0
while ! mkdir "$lock" 2>/dev/null; do
if [ -S "$socket" ]; then
if mux_ready; then
run_command
exit $?
fi
@ -171,7 +183,7 @@ private static function withFirstUseMuxLock(Server $server, string $command): st
child=$!
for _ in 1 2 3 4 5 6 7 8 9 10; do
if [ -S "$socket" ] || ! kill -0 "$child" 2>/dev/null; then
if mux_ready || ! kill -0 "$child" 2>/dev/null; then
break
fi
sleep 0.1
@ -186,7 +198,8 @@ private static function withFirstUseMuxLock(Server $server, string $command): st
.escapeshellarg($command).' '
.escapeshellarg($muxSocket).' '
.escapeshellarg($lockDirectory).' '
.escapeshellarg((string) $lockTimeout);
.escapeshellarg((string) $lockTimeout).' '
.escapeshellarg($checkCommand);
}
private static function escapedUserAtHost(Server $server): string

8
tests/Feature/SshMultiplexingLockTest.php
View file

@ -71,8 +71,8 @@ function makeMuxServer(): Server
->toContain("-o ControlPath=/var/www/html/storage/app/ssh/mux/mux_{$server->uuid}")
->toContain("/var/www/html/storage/app/ssh/mux/mux_{$server->uuid}.lock")
->toContain('-o ControlPersist=3600')
->not->toContain('ssh -fN')
->not->toContain('-O check');
->toContain('-O check')
->not->toContain('ssh -fN');
Process::assertNothingRan();
});
@ -105,8 +105,8 @@ function makeMuxServer(): Server
->toContain("-o ControlPath=/var/www/html/storage/app/ssh/mux/mux_{$server->uuid}")
->toContain("/var/www/html/storage/app/ssh/mux/mux_{$server->uuid}.lock")
->toContain('-o ControlPersist=3600')
->not->toContain('ssh -fN')
->not->toContain('-O check');
->toContain('-O check')
->not->toContain('ssh -fN');
Process::assertNothingRan();
});